Regarding Open Source, Security, and Cloud Migration, Old Prejudices Die Hard in Health Care

Andy OramAlthough the health care industry has made great strides in health IT, large numbers of providers remain slow to reap the benefits of a “digital transformation”. Health care organizations focus on what they get paid for and neglect other practices that would improve care and security. At conferences and meetings year and after year, I have to listen to health care leaders tediously explode the same myths and explain the same principles over and over. In this article I'll concentrate on the recent conference, put on in Boston by John Lynn's Healthcare Scene, where the topics of free and open source EHRs, security, and cloud migration got mired down in rather elementary discussions.

Open Source and Standards: Lessons Lost

The sole panel on open source at ("How Open Source Can Help Enable Care Coordination and Interoperability") got derailed quite early. Despite the stated topic, the audience questioned the value of open source and kept turning the topic to standards--a related but distinct topic. A good deal of time also flew by as panelists took potshots at various institutions in at attempt to assign blame for the historic setback for open source when the instigator of VistA, the Department of Veteran Affairs, announced that they would abandon that open-source leader for a proprietary Cerner solution. That complex topic has been explored already in Open Health News, so I won't delve into it here.

Open Source Panel. Don Hewitt, Brian Book, Ioana Singureanu - Credit Andy OramOne member of the audience said that he's happy to use an open source operating system and has contracted with Red Hat. In fact, his organization paid Red Hat to port InterSystems Caché, the legacy database used by the M language (originally MUMPS) and still sticking up shoots throughout health care. The sponsorship of the Caché port is a classic success story of community action in open source, a win-win situation for the sponsor, for Red Hat, for Caché, and for all potential users.

However, this same administrator would not consider an open source EHR. He said that he needs the kind of support provided by Red Hat. Knowing that several companies stand behind VistA and other open source EHRs, the question then becomes: did he not know about that support? Or are all those companies inadequate at the task?

Shahid Shah - Credit Andy OramThe moderator of the session, Shahid Shah, who served for many years as Chairman of OSEHRA’s Strategic Advisory Board, said "CIOs don’t mind paying for software that comes with assurances and all the 'ilities' like reliability, security, usability, maintainability, and availability. Any software company--such as Red Hat--that can explain why open source improves those ‘ilities’ and backs up the code with ‘one throat to choke’ when something goes wrong will have the CIO’s attention." He went on to say that "selling open source because it’s extensible is also helpful, but only if enough programmers who understand the code are available to take advantage of the code being open."

The big missed opportunity would have been to pick up on the audience's concern for standards. There is no doubt that a lack of interoperability still plagues EHRs. For instance, I heard at the conference of a major hospital chain, routinely rated high in national studies, that could not get EHRs to work together after a merger. Satellite hospital staff have to register each of their patients as a patient of the parent hospital, even if the patient never sets foot in it. Apparently they can still deliver high-quality care, but the cost in health care premiums as well as staff frustration must be high.

Even more damning was a comment by George Florentine of Flatirons, which retrieves legacy patient data and incorporates it into a unified model with 22 categories. Florentine said that a reasonably comprehensive view of patient data can be achieved through the model, which can be exported through XML. But when I asked why they don't propose their model as a standard that all EHR vendors should use, he answered that the vendors would never agree. They consider it a business advantage to preserve separate, opaque, and quirky models that only a few consultants understand. Those consultants also benefit from the opacity of the EHRs.

So someone at the panel discussion should have asked: after years of cohabitation, including a decade of pressure from the US government to interoperate, why haven't the proprietary vendors learned to share data? FHIR may be the breakthrough we need, but we haven't yet seen whether it provide data sharing on a large scale, and it provides enough room for variation and interpretation (just like earlier HL7 standards) to leave different vendors at odds with one another.

George Florentine - Credit Andy Oram

As I have stated before, health care needs open source in order to achieve standardization.

However, panelist Ioana Singureanu made a pointed remark. She reminded the audience that the VA chose to install Cerner in order to exchange data with the Department of Defense, which is an obvious requirement because they treat the same people at different stages of life. She said, however, that they should have deliberately chosen two different vendors, as a benefit to the entire field of health care. Choosing two vendors and requiring them to finally get data sharing to work would put the weight of two enormous government clients behind the goal of interoperability. Instead, the DoD and VA wussed out, hoping to reach their goal through the same timid reasoning used by their private-sector counterparts. Whether that backward-looking choice will get them what they need is still unknown.

I'll end this section with a brief mention of HealthTerm by CareCom, a sponsor of the conference. They maintain a large number of ontologies such as ICD-10 and LOINC, and offer a wide range of tools to take advantage of those terms, such as analytics and language translation.

Security: Join the Neglected Stepchildren

Repeated front-page headlines remind us monthly that most industries fail to get the concepts of security. Phishing, poor configuration, and other bad choices lead to costly and embarrassing breaches that seem to just get bigger and bigger (the 2017 Equifax breach reportedly put 147 million people at risk--people who largely have no relationship with Equifax and did not choose to store their data with that company).

Health care institutions are equally vulnerable. They face strong pressures to release sensitive information, both from malicious actors and from well-meaning family and friends. Famous people are particularly at risk.

Being in the panel on security ("Healthcare Security in a World of IoT and Big Data Everything") in the same room as an immediately preceding panel on EHR satisfaction ("A Data-driven Look at EHR Satisfaction and Practical Ways to Improve It") was eye-opening; I thought I heard an echo in the room. 

Cybersecurity panel. Fariha Chaudry, Dexter W. Braff. Credit - Andy OramProponents for EHR satisfaction and proponents of security both complain that their concerns are undervalued and neglected by upper management. I believe that the same factors degrade both. You can't easily measure the benefit that comes from investing in these areas, and no payment comes through for doing so. But poor results in both areas can be devastating to the institution as well as to patients.

Suggestions at the security panel included: two-factor authentication, prohibiting the insertion of external devices such as USB sticks into hospital systems, content inspection on data that goes out, web filtering, and zero trust (a network architecture that eschews firewalls for authentication and encryption across all systems). Behavioral analytics might catch inside risks: for instance, an account that suddenly starts receiving or transmitting unusual amounts of data at 2:00 AM.

Shahid Shah, who also moderated the cybersecurity panel, reminded the audience that, "There’s a lot of insider cyber breach that goes unreported or underreported. Without zero trust and regularly audited privilege escalation rules monitoring across major systems, like EHRs and RCM, there may be no hope of real cybersecurity. Shah also said “Boards and senior executives have to balance between convenience, cost, and cybersecurity--one goal must sometimes give way to another."

Normal security practices stress the installation of all patches on devices, but this may be unfeasible where embedded software is involved, especially medical devices. Some devices may stop working if you try to upgrade the underlying operating system. Updates will probably invalidate the warranty. The solution in this situation is to install a modern, fully patched firewall in front of the devices.

I visited the sponsor table for Imprivata, which makes secure systems for health care and other industries. They provide each staff person with a key card that stores a code for the person's identity in an RFID chip. Touching the card to any general-purpose computer (a laptop, tablet, etc.) causes the chip to authenticate the user against an Imprivata server, which is on-premises in case of a network failure. A system that can't reach the Imprivata server can still log in a user to the local computer. Imprivata allows whatever level of security the administrator wants: a password, a key card, or both in the case of two-factor authentication.

So how do we get health care leaders interested in better security? The institution must develop a strategy tying the security requirements to its broader goals. A framework (such as NIST) is useful to provide a common language and permit coordination across teams. The security proponents must do their best to assess risks and consequences, and then present these to the organization's leaders. Bonuses could be instituted for implementing and adhering to a security plan.

It's worth mentioning a non-profit organization named the Health Information Sharing and Analysis Center (H-ISAC), which plays a useful role in the narrow but critical area of recognizing cyber attacks. In a model familiar from other organizations, H-ISAC ties together health care institutions who immediately share information about attacks they detect, so that other organizations can update their intrusion detection software to repel the attack.

Cloud Migration: The Irony of Fear

Health care institutions, like others, have been embracing the use of third-party vendors for storage. The cloud is particularly popular for images, because of their size in digital form. But odd biases still hold many back. The irony is that many are afraid of being put at risk in areas where the cloud actually reduces risk.

For instance, cloud vendors are more secure than most on-premises systems, simply because those vendors hire the best security experts in the business and make security practices such as patching and monitor central. Yet the fear persists among some health care managers that keeping the data on-premises is fundamentally safer.

Similarly, health care managers worry about loss of access to data during a disaster. But in fact, keeping the data on-premises leaves the institution open to a flood or tornado that could put the system out of commission. If the data is stored in several different geographic locations in the cloud, it will always remain available, and can be accessed through a device on the cellular network, which usually stays up during a disaster.

To woo health care providers, some cloud vendors advertise a "HIPAA-compliant cloud". I find this amusing, because HIPAA is not a very demanding standard in technical terms. Most cloud offerings allow you to encrypt data at rest and in transit, and to log and monitor data transfers. So "HIPAA-compliant" sounds like some sugar to draw curious beasts to the trough. I do think the cloud is a good choice for most health data, actually.

Cloud panel. Clare Bernard, Scott Radner, Tushar Mahajan, Sunnie Southern - Credit Andy OramSunnie Southern, who works at cloud solutions provider Onix as their Health and Life Science lead while advocating for reforms in health care, went over in her keynote some of the crude ideas still circulating in health care. Fears that moving to the cloud will displace staff are more realistic, but reassurance is available. After all, the cloud still requires administration. That becomes a new domain of knowledge that make staff more valuable. Those who provide high-level thinking of value to their organization will move up. And of course (although no one at the conference said this) the public interest requires the loss of some staff. Otherwise, how can the field achieve the cost reductions it desperately needs?

A panel on the cloud ("Practical Innovation: The Cloud in Healthcare") retold the advantages for health care, which are basically like those in other industries: saving administrative costs, security, scalability, and easy data sharing. The Broad Institute, which has developed the Terra Bio platform for researchers, takes advantage of a particular business policy. Cloud providers offer a few months or a few hundred dollars worth of free service to each new user, and Broad can wield that offer to encourage people to try their tools.

In summary, let's look at why the health care field has not moved as fast as retailers, the finance industry, transportation, and many others to take advantage of modern computing. It's probably because they lack the competitive and environmental pressures that force other businesses to be more efficient and customer-friendly. No one walks out of surgery pre-op because the EHR is proprietary or the heart monitor is insecure--but a bad outcome caused by such things could significantly hurt the patient. We continue to visit our health care providers and pay costs that continue to ratchet up, because we have to. Whoever wants to serve the health care industry or influence policy for it should think about the health IT impacts of these activities, and how health IT improvements can help the cause of reform.